But as Levar Burton used to say, "You don't have to take my word for it". Strap on your scarf and skinny jeans and let's take a look at how Express really holds up under some pretty fundamental requirements.

Registration And Login

Most apps start with a login/registration form. This sounds simple, but every time I build a form, I forget how much logic is involved. It's a good test for a web application framework since it involves request routing, form posting, session state, security, backend data operations and client/server data validation.

I am going to be using Everlive as my back-end data store for users. Telerik Everlive is a back-end service (sometimes referred to as a "Cloud") that offers data storage, user management, roles, email, push notifications and much much more. The best part is that developer accounts are completely free.

I'm just going to create a sample Everlive project called "Dashboard", and I'll think of something witty to set as the description.

Creating The Express App

Of course, NodeJS is a requirement for using Express as it's the platform on which express runs. Install Express (globally - means it's accessible from any place on your file system) using npm.

> npm install -g express

Then create the new "Dashboard" application.

> express dashboard

Express will then create a directory with that name and put the generated project files inside. It will ask you to navigate into that directory and install the dependencies when it's finished initializing the application.

> cd dashboard && npm install

Start the Express app with Node

> node app

You're up and running! Now it's time to get down to some real business.

Create login.jade and register.jade files. I'm not using the layout.jade for these pages since I usually reserve that for the application layout.

Quick note on Jade: I was really perturbed by Jade the first time I used Express since it will not allow you to write HTML. You can use EJS templates for that, but Jade is really quite nice once you get a feel for it. It does take some getting used to, so give it a chance.

Now open the routes/index.js file so we can define these login and register methods. I'm going to redirect all root traffic to login as well since everyone needs to come through the front door. No cheating.

Now create the regiserUser method in routes/index.js. We can pull the form values right off of the request body. Everlive will want at least a username and password, but will take any additional fields like Email and DisplayName.

WAIT. The client validated the input, but we can never fully rely on that. This is one of the truly maddening things about web development. We send our data to another place and time that we have no control over, so we can't be sure that what we get back has any integrity at all.

Node has a validator package that is exposed as "Express Middleware" called "Express Validator". Install it with NPM.

"Middleware" simply means that we can use this library directly on the request and response HTTP objects in Express since this library is tied into the Express core.

Once the data has been run through the validator, we check for errors and then pass them back to the client if there are any. Just for testing, I'm going to pass back a success message that we'll eventually replace with the actual register functionality.

Then just include this template wherever you want the messages to show up in the login and registration pages.

include messages

Registering Users In Everlive

We are finally ready to register users! I know it seems like a lot of code, but this is the reality of forms. This is why this is such a great exercise for testing and learning Express.

Everlive exposes it's API via REST URL, but there is also a JavaScript SDK that is exposed in the form of both a browser script and an npm package.

Install the Everlive SDK with NPM.

> npm install everlive-sdk --save-dev

In case you are wondering what --save-dev is for, we are using it to store our dependency on these new packages in the project package.json file. This way, you can have your mates pull the project down and all they have to do is the standard npm install when they set the project up. They will love and cherish you for this.

Grab your API Key from the Everlive project you created.

Include the Everlive SDK at the top of the routes/index.js file and then initiliaze the library, passing in your API key. I also added a flash variable at the top of the file that I can use to pass messages from other methods to a view.

The Everlive SDK wraps all of the REST API configuration into some neat methods, and the best part is that they ALL return promises since they are asynchronous calls to a remote service.

Register the user calling the register method on the Users object. If the registration fails, set the flash message and return the register method. If it's successful, return the login page and flash a message that they should confirm their account.

Let's implement the login functionality. Remember the login form? We created it at the very beginning of this article, and now we need it. Add the flash message template to the login.jade code. We also need to validate it. Fortunately, that doesn't require nearly as much code as the registration page.

The Dashboard view is the holy grail. It is the ENTIRE reason we have gone to all this trouble to register and login users. Go ahead and create it. I've added a simple Bootstrap navbar which will display the user's name and a logout button.

Storing The Secure Login

Right now, we just blindly log people in since the login method for Everlive just returns a success or failure. Once we get a success, we can call the currentUser() method to get information about the user. Then we can store it securely on the server for the life of the session using...

Express Sessions

Sessions are secure data that is isolated to a specific user during a specific window of application use by way of cookies. Express includes session support in it's out-of-the-box Middleware package. We can add it in app.js

We don't have to validate this time because Everlive isn't going to let us get very far without a username and password. Also, the user can't login until they have verified their account.

Once the user has verified their account, they can login and access the sacred Dashboard page. Actually, they can access it without logging in because we haven't restricted access to it yet.

Restricting Access To Routes

Did I mention that Express is very minimalistic? We kind of need to implement our own function to enforce security. The good news is that it's incredibly easy since we can pass a second function to a route which intercepts the request and response and allows us to perform some function on them.

Express Is Fun!

It is! It's a no-frills framework, and I think that's a GOOD thing. I like it. Having an intelligent backend system with a nice SDK really helps as well. So turn up that "Arcade Fire" album, put on those Buddy Holly glasses and embrace your inner hipster.

Burke Holland

Burke Holland is a web developer living in Nashville, TN and the Director of Developer Relations at Telerik. He enjoys working with and meeting developers who are building mobile apps with jQuery / HTML5 and loves to hack on social API's. Burke works for Telerik as a Developer Advocate focusing on Kendo UI.

Progress, Telerik, and certain product names used herein are trademarks or registered trademarks of Progress Software Corporation and/or one of its subsidiaries or affiliates in the U.S. and/or other countries. See Trademarks or appropriate markings.